Closed
Bug 1625116
Opened 5 months ago
Closed 4 months ago
Assertion failure: isMemberExpression || isCallExpression || isOptionalExpression (Unknown ParseNodeKind for OptionalChain), at js/src/frontend/BytecodeEmitter.cpp:7732
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla76
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox74 | --- | wontfix |
| firefox75 | --- | wontfix |
| firefox76 | --- | verified |
People
(Reporter: decoder, Assigned: yulia)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200326-3e5a7430c8d7 (build with --enable-debug, run with --fuzzing-safe --no-threads):
`${G}`?.r
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555561c6941 in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) ()
#1 0x00005555561c67aa in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) ()
#2 0x00005555561ca9eb in js::frontend::BytecodeEmitter::emitOptionalChain(js::frontend::UnaryNode*, js::frontend::ValueUsage) ()
#3 0x00005555561b0322 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#4 0x00005555561c5489 in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) ()
#5 0x00005555561b057d in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#6 0x00005555561c5272 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#7 0x00005555561b055d in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#8 0x00005555561b3b90 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#9 0x00005555561dbf4d in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::CompilationInfo&, JS::Handle<JSObject*>, js::frontend::SharedContext*) ()
#10 0x00005555561a2717 in js::frontend::CompileGlobalScript(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) ()
#11 0x0000555555b21257 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) ()
#12 0x0000555555b2164b in JS::CompileUtf8FileDontInflate(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) ()
#13 0x00005555557e7f0c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#14 0x00005555557e73c4 in Process(JSContext*, char const*, bool, FileKind) ()
#15 0x000055555578e929 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#16 0x0000555555786219 in main ()
rax 0x555556f47123 93825019441443
rbx 0x0 0
rcx 0x555557f2d850 93825036114000
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffffa770 140737488332656
rsp 0x7fffffffa720 140737488332576
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f9cd00 140737353731328
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x7ffff5e7c090 140737318994064
r13 0x0 0
r14 0x7fffffffa7e0 140737488332768
r15 0x7fffffffabe8 140737488333800
rip 0x5555561c6941 <js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage)+865>
=> 0x5555561c6941 <_ZN2js8frontend15BytecodeEmitter16emitOptionalTreeEPNS0_9ParseNodeERNS0_15OptionalEmitterENS0_10ValueUsageE+865>: movl $0x1e34,0x0
0x5555561c694c <_ZN2js8frontend15BytecodeEmitter16emitOptionalTreeEPNS0_9ParseNodeERNS0_15OptionalEmitterENS0_10ValueUsageE+876>: callq 0x55555581199a <abort>
|
Reporter | |
Comment 1•5 months ago
|
||
|
||
Updated•5 months ago
|
Flags: needinfo?(ystartsev)
|
Assignee | |
Updated•5 months ago
|
Assignee: nobody → ystartsev
Flags: needinfo?(ystartsev)
|
||
Updated•5 months ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 2•5 months ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200327094805-2998408f57b1.
Failed to bisect testcase (Start build crashes!):
> Start: 3e5a7430c8d7d87bfeff471e62643185393a34c6 (20200326093308)
> End: 2998408f57b103e0ca4256d55bca54c1f046aca6 (20200327094805)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
||
Updated•5 months ago
|
Priority: -- → P1
|
|
||
Comment 3•4 months ago
|
||
Bugmon Analysis:
|
|
Assignee | |
Comment 4•4 months ago
|
||
huh, weird i pushed a patch for this but it never got here for some reason
|
|
Assignee | |
Comment 5•4 months ago
|
||
Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d06d14647f6f add templateStringListExpr to list of optionalexprs; r=jorendorff
|
||
Comment 7•4 months ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
||
Updated•4 months ago
|
status-firefox74:
--- → wontfix
status-firefox75:
--- → wontfix
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite+
|
|
||
Updated•4 months ago
|
|
|
||
Comment 8•4 months ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•